DDoS Attack Briefly Cripples the FCC Comment System

The U.S. Federal Communications Commission (FCC) reported this week that its website comment system was bombarded by a distributed denial of service (DDoS) attack on May 8, shortly after the agency requested public comments about potential changes to the Net Neutrality laws. (The current FCC Chair, Ajit Pai, recently announced that his agency intends to jettison Net Neutrality rules.

Because there is concern that someone purposely stifled democratic input from thousands of web visitors, this incident is not just a matter of inconvenience to the agency or its website visitors; rather, it could be seen as meddling in a democratic process. The agency website comments section is certainly not a voting machine, but it was supposed to serve—temporarily, at least—as an official repository of public comments on the issue of Net Neutrality laws. Therefore this hacking incident has raised the hackles (pun intended) of some politicians, including two Democratic Senators (Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii) who wrote a letter to Pai to ask him about the FCC’s defenses against such an attack, and alternative methods of soliciting public comments. Included in their letter were the following questions:

Does the FCC use a commercial DDoS protection service? If not, why not? To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not?

“Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected?

It’s hardly surprising that DDoS attacks finally caught the attention of politicians; it was just a matter of time until a DDoS attack affected a government agency. A combination of events has led to more awareness of cyber threats, including DDoS attacks. Consider that until the massive DDoS attack on Domain Name Service Provider Dyn occurred last autumn, politicians scarcely knew about, much less commented on, DDoS attacks. Then, along came news that Russia hacked into the computer systems of U.S. political parties, which had nothing to do with a DDoS attack but certainly raised awareness about cybersecurity issues.

It’s common knowledge that anyone with a grudge can launch a DDoS attack; even if they lack the IT skill to pull it off themselves, they can hire a DDoS-for-hire service on the dark Web to do it for them, for a few hundred to a few thousand dollars, depending on the duration and volume of the attack. In the case of the FCC, this seems like an act of political “hacktivism,” which is unethical and illegal (if people want to protest the FCC they should follow legal, traditional channels). It could have been launched by perpetrators who wanted to protest the FCC, or it could have been launched by a cyber terrorist from a nation-state. Either scenario is bad, but if it was hacked by a nation-state actor, that is the worse of the two.

The incident is somewhat ironic, given that it happened to the FCC website; one would expect that agency, which oversees Internet policies, would have better DDoS protection in place. Now the agency seems to face some political pressure to implement a better DDoS solution in the near future to prevent problems like this.

The incident is also interesting because the FCC’s Internet Service Provider could stop such DDoS attacks if they implement the right technology. One potential reason is that some ISPs are wary of blocking any traffic, because that in itself could be seen as a violation of Net Neutrality laws. Consumers generally favor Net Neutrality rules, but when it comes to blocking/controlling some Internet traffic, I think most consumers would agree it makes sense to block DDoS traffic.

Of course ISPs do not want any dirty traffic traversing their networks. Until recently however, it was both expensive and technically difficult to block the dirty traffic and make sure that no “clean” traffic was blocked in the process. That trend is changing, now that modern DDoS protection technology has made it easier and more affordable to block only the bad traffic.